by Phil Allen, Ping Identity 29 October 2019
Machines are getting smarter and more mobile. From smart drones to driverless cars, intelligent vehicles are a hot technology. Recent advances in Artificial Intelligence (AI) and Machine Learning (ML) have made mass market deployment of fully autonomous vehicles a likely occurrence within the next decade.
Whether it’s on land, sea or air, vehicles of all kinds are increasingly software-driven and like all compute platforms, offer a tempting target for cyber-attack. Just looking at the automotive market alone, several pioneering projects are examining how to balance the need for system accessibility for legitimate human and machine-to-machine (M2M) communication with the challenges of secure access.
Secure access technologies that have been commonplace in the landscape for over a decade are rapidly making their way into automobiles. The reasons are part of a wider move for the car industry to begin to have an ongoing relationship with consumers instead of just that of a distant original equipment manufacturer (OEM). A key trend is around security which, in the age of keyless entry, has been victim to relay attack using a device that can intercept the signal from the key fob to allow a thief to steal vehicles. A recent test by What Car? Magazine tested seven different car models fitted with keyless entry and start systems and found that six of them could be stolen within 60 seconds.
To counter this issue, several brands have adopted multi-factor authentication (MFA) alongside short range geolocation beacons using devices such as smartphones to provide an additional security control before a vehicle can be driven. The system can support multiple drivers for fleet or shared vehicles and the first models are likely to emerge within the next year.
This leads into identity access management (IAM) solutions that are being integrated for drivers and vehicles to allow not just security but also to enable new business models. One large German manufacturer is testing a system as part of a short term car rental service. In this model, a member of the service could go to any town and, with keyless entry, gain access to a short term rental of the same make and model as their own car. The smartcard login automatically manages authentication, payment, and vehicle customization – in the same way that a VDI login creates a user’s workspace irrespective of which device they connect from.
Both technologies feed into the overarching goal for many in the industry which is the move to automation. Although still possibly five years away, a situation where a vehicle can drive itself, along with passengers, poses a possible security nightmare for many manufacturers and transportation service providers. A hacked robo-taxi might be scammed of fares, stolen outright or worse still, used to commit crimes. As such, securing how vehicles authenticate to their control networks along with embedded security within the vehicle between components such as the GPS and telemetry systems is a major project at several car makers.
In a future where cars are autonomous, there also needs to be smarter infrastructure for tasks such as recharging, entering parking structures and using toll roads and bridges. As such, vehicle identities including the use of digital certificates are becoming part of the process.
Although driverless cars are still a way off, the more pressing issue is around drones, both airborne and for tasks such as agricultural and construction. Increasingly, these devices are running autonomously based on pre-programmed logic with limited oversight. As recent issues with rogue drones closing airports and the more worrying assassination attempt of Bolivia’s disputed President Maduro via a drone packed with explosives, the ability to secure access to drones is a challenging problem.
Although the Civil Aviation Authority (CAA) has rules around their use including restrictions on flying above 400 feet in altitude or more than 500 meters away, the Authority has no way to check what drones are in the air at any point or who is at the controls. The challenge is not a security issue but a matter of law and as drones become more autonomous, a number of innovators such a DJI, a major drone manufacturer, that already requires users to log-on to a drone before they can fly, may well become part of a wider mandatory regulation that enforces drone flights more rigorously by sharing login details with aviation authorities.
The rise of the machines is inevitable, at least for drones; however, securing the impact will be a major requirement across a wide range of industries and one in which IAM will play an important role.
Phil Allen is VP EMEA at Ping Identity, a software company developing identity and access management solutions.